Azure Sentinel – Approaches to sizing and pricing if you don’t have Log Analytics?

As there are lots of question on this topic, I’m hoping this post will help. Also see my other post if you DO have Log Analytics

What to do if you don’t have Log Analytics already in use in your company today, but want to price Azure Sentinel:

Here I discuss three Options:

An Estimate, using typical data volumes

Do you have SIEM today?

Run a small POC / Sizing exercise

Option 3 is my preferred method if you have the time

Option 1 – Estimate

Step 1: A typical Azure Virtual Machine ingest 1-3GB of logs a Month (see screen shot of Azure Monitor) below. Now we can debate typical for a long time, so please see this as a starting point !

That is a good starting point for devices (on-premises) or in the cloud. You now need to work out how many servers/desktops you have and calculate how much data that’s likely to be per day (in Gigabytes)

E.g. 100 Servers all sending 1GB a month = 100GB total / 31days = 3.22GB per day. Sentinel requires a whole number so I’d advise you top round this figure up (your decision), in this case 4GB a day.

Please put this into your spreadsheet of choice. In Excel it looks like this.

Where column 5 is a calculated value of = Column 3 [GB per Month] / Column 4 [Days in Month]

Estimated GB

Device Count

GB per Month

Days in Month

GB per Day

1

100

100

31

3.226

2

100

200

31

6.452

3

100

300

31

9.677

4

100

400

31

12.903

5

100

500

31

16.129

6

100

600

31

19.355

7

100

700

31

22.581

8

100

800

31

25.806

9

100

900

31

29.032

10

100

1000

31

32.258

Now we have some data to feed into the Azure Pricing Calculator

Tip:
You can name sections of the calculator, in the following diagram I’ve called mine “Azure Sentinel 1GB per day option“. This is good for ‘what if’ scenarios, as you can take today’s per GB value, and try out others, such as what happens if my ingestion to 2GB a day using the table above. Just simply clone the entry and re-name

“Azure Sentinel 1GB per day option” to “Azure Sentinel 2GB per day option” etc…

Login to the calculator if you can, so you can save and share the estimate. (Optional)

Find the [Security] tab on the left hand-side, Select [Security], then [Azure Sentinel]

Select your currency (I’ve selected £ in the diagram) – scroll right to the bottom of the page to do this!

Answer the 3 questions, you see (marked with red boxes) in the screenshot:

use the [CLONE] button if you want some ‘what if’ models, remember to re-name the sections!

Azure Cost Calculator example.

Notes:

The calculator for Azure Sentinel is for both Log Analytics (ingestion of Billable data, my query doesn’t count the free data types) and the Azure Sentinel analytics of that data – both are measured in Gigabytes (GB) per day. The calculator will automatically move from PAYG (pay as you go) to Capacity Reservation when the number you enter reaches the right threshold. Billing will start on Nov 1st 2019.

This is your estimated new monthly price for Log Analytics ingestion and for Sentinel to analyse your data – including 3 months retention. + any additional retention you add

If you plan to use Azure Logic Apps (playbooks) – please add an Item for those.

If you have what-if models and you save them to our Excel via the [EXPORT] button. then the yearly total will be wrong!

Option 2 – Do you have a SIEM today?

Maybe you can get some data from that, there are so many variants (Events per Second etc) and tools, so you are going to have to do some work on this one. Sorry! Do you have some idea that we can use here, if so please leave a comment?

Option 3. Run a small POC / Sizing exercise.

Log Analytics allows for 5GB of free ingestion per customer. You can set a daily cap as well (note that excludes Security Data)

To transform your in-person classroom delivery into digital, remote learning opportunities, there are a range of tools available. In this article, I look at teaching methods in the classroom and share a few tools you can use to quickly and easily transform your planned classroom lesson into something that empowers students and teachers. If your...Read more